Video Screencast Help
Security Response
Showing posts in English
Ollie Whitehouse | 17 Aug 2006 07:00:00 GMT | 0 comments

With the advent of the Symbian mobile operating system we have been introduced to several new descriptors for different types of variables. These descriptors are used when writing software with Symbian's C++ API and are not standard C-style strings, but instead “classes” that perform strict type and length checking. These classes are designed to protect against buffer overflows and general memory corrupt bugs, among other things.

While this design is helpful because it stops overflows from overwriting the stack and heap, developers could develop a false sense of security. For what traditionally would have been a vulnerability that leads to arbitrary code execution, it is now potentially a vulnerability that causes a denial of service (DoS) condition.

Take the following code snippet as an example:

TBuf<5> Buf; //5 char buffer
_LIT(Boof,"AAAAAAAAAA"); // 10 chars
Buf.Copy(Boof); // Attempt to overflow

...
John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Office exploits used to drop Trojan horses on affected systems. The release of the exploits had been timed so that when Microsoft released their patches, a zero-day exploit surfaced the next day. The timing of these releases was noted by Symantec Security Response and it was speculated that the people behind these exploits had discovered multiple vulnerabilities in Microsoft Office and were holding back on releasing them, in order to maximize the time-to-patch for each of their finds.

Today, we have seen another targeted attack on a document editing suite; however, this time around it is Justsystem's Ichitaro. Ichitaro is a word processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute its code on the system, dropping and executing a Trojan horse named Backdoor.Papi. When run, Backdoor.Papi copies itself to the %system% directory, creates a service named CAPAPI...

John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Officeexploits used to drop Trojan horses on affected systems. The release ofthe exploits had been timed so that when Microsoft released theirpatches, a zero-day exploit surfaced the next day. The timing of thesereleases was noted by Symantec Security Response and it was speculatedthat the people behind these exploits had discovered multiplevulnerabilities in Microsoft Office and were holding back on releasingthem, in order to maximize the time-to-patch for each of their finds.

Today,we have seen another targeted attack on a document editing suite;however, this time around it is Justsystem's Ichitaro. Ichitaro is aword processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute itscode on the system, dropping and executing a Trojan horse namedBackdoor.Papi. When run, Backdoor.Papi copies itself to the %system%directory, creates a service named CAPAPI, and drops...

Peter Ferrie | 16 Aug 2006 07:00:00 GMT | 0 comments

In February of this year, Virus Bulletin published one of my articlesin which I was speculating about the meaning of a message that acertain virus was displaying. My questions were in regard to the W32.Idonus virusand more specifically, the word "Genetix" that was displayed. Whenexecuted, the virus randomly (a one in 1,983 chance) chose whether ornot to display the message “GeNeTiX is EVIL!”

In the VirusBulletin article I suggested that “Genetix” could be referring to aparticular molecular biology company, an anti-GMO food organization, orperhaps something else entirely. Well, as it turned out, the term“Genetix” was actually referring to a person. Not just any person, itseems, but the actual virus writer. In an attempt to make this clear,the virus writer has created a new virus (...

Symantec Security Response | 14 Aug 2006 07:00:00 GMT | 0 comments

In an earlier blog regardingMicrosoft’s recent vulnerability announcement, MS06-040 (Server servicevulnerability) was discussed, along with how this issue would beexploitable for worm-based attacks. Although there were samples ofproof-of-concept exploits released last week, it was pretty quiet onthis front, until now. We have now seen our first real, in-the-wildstyle attack leveraging MS06-040.

Here's what we know so far:
• On August 12, 2006 Symantec Security Response detected a new exploitbased on MS06-040, dubbed W32.Wargbot. This is a network-aware wormthat leverages the described vulnerability to spread itself onvulnerable machines. Once on the compromised machine, W32.Wargbot thenproceeds to open an IRC backdoor.
• In response to this new attack, Symantec has released AV signaturesspecific to W32.Wargbot; however,...

Robert Keith | 11 Aug 2006 07:00:00 GMT | 0 comments

As a vulnerability analyst, I need togather as much information as I can on new or existing vulnerabilities.Part of my job is to scour vendor security sites, public disclosurelists, and other security-related sites looking for security-relatedinformation. In the process I often come across messages, emails, orblog entries etc. that are, to me at least, quite amusing. Typically,these messages tend to be from application authors declaring that theirapplication “can’t have vulnerabilities” or, that “it just isn’tpossible”. The arguments are often made that the programmer is eithertoo reputable, or the software that they’ve developed has check uponcheck, making it impossible for the application to havevulnerabilities. Of course, no one wants to hear that something theyhave created has bugs or security holes, but more often than not,unfortunately it does. More likely, the case isn’t that the applicationis not vulnerable, but the author themselves may not understand...

Brian Hernacki | 10 Aug 2006 07:00:00 GMT | 0 comments

In a previous blog I wrote about security in municipal Wi-Fi networks and talked about what I called network identification. I wanted to talk a little more about that now. I think this is actually one of the hardest problems to deal with.

Just to recap, the problem is that when you attempt to connect to a wireless network, you do so based on the network name (the SSID). That name, however, is a very poor identifier. The administrator of the access point can name it whatever they like. So, if I want to setup an access point and name it "GoogleWi-Fi", I can. And now when anyone in range attempts to connect to a wireless network they will see one called "GoogleWi-Fi". So, how do you know who you're connecting to?

People have suggested a number of approaches. I've heard some suggestions around educating users about what names...

Symantec Security Response | 09 Aug 2006 07:00:00 GMT | 0 comments

Guess what time it is (again)? Yep—it’sthat time of the month when our friends at Microsoft open a bit oftheir kimono in the interest of "community service”. For Star DateAugust 8, 2006, Microsoft presents us with a cornucopia of issues: 23vulnerabilities spread over 12 bulletins, to be exact.

Manyof the items disclosed are rated "critical" by Microsoft and I couldn'tagree more. Some of the items carrying a critical rating are highlyexploitable and the most severe of them all is contained in theMS06-040 bulletin entitled "Vulnerability in Server Service Could AllowRemote Code Execution”. The bulletin speaks to a buffer overflowcondition (in the "Server" service, which is used for sharing resourcesbetween Windows machines) that may occur if specially crafted RPCmessages are sent to vulnerable machines. If successfully exploited, anattacker can take complete control over the affected system.

Worse yet, do you remember the worms of yore in the not too distantpast?...

Oliver Friedrichs | 09 Aug 2006 07:00:00 GMT | 0 comments

The Windows Vista operating system launches one of the most aggressive assaults on kernel mode security threats seen to date; even when compared to those capabilities seen in Mac OS X, Linux, and many UNIX variants. Microsoft is using a number of new security technologies in order to accomplish this:

• Driver signing (mandating digital signatures on all drivers)
• PatchGuard (protecting key kernel data structures – on 64-bit Windows)
• Kernel-mode code integrity checks (validating kernel component hashes)
• Optional support for Secure Bootup using a TPM hardware chip
• Access to \Device\PhysicalMemory blocked from user-mode

Our new paper, Windows Vista Kernel Mode Security takes a detailed look at the Vista boot process and these new security technologies. It also discusses techniques by which driver signing and PatchGuard can be...

Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.

Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.

At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack...